INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added 'ci-upstream-kasan-gce-386-4,10.128.0.57' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.177867] ================================================================== [ 31.185269] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 [ 31.192428] Read of size 4 at addr ffff8801cf47f960 by task syzkaller928430/2979 [ 31.199936] [ 31.201538] CPU: 1 PID: 2979 Comm: syzkaller928430 Not tainted 4.14.0-rc1+ #5 [ 31.208780] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.218107] Call Trace: [ 31.220670] dump_stack+0x194/0x257 [ 31.224271] ? arch_local_irq_restore+0x53/0x53 [ 31.228914] ? show_regs_print_info+0x65/0x65 [ 31.233386] ? lock_release+0xd70/0xd70 [ 31.237333] ? xfrm_state_find+0x305b/0x3190 [ 31.241713] print_address_description+0x73/0x250 [ 31.246526] ? xfrm_state_find+0x305b/0x3190 [ 31.250910] kasan_report+0x24e/0x340 [ 31.254777] __asan_report_load4_noabort+0x14/0x20 [ 31.259677] xfrm_state_find+0x305b/0x3190 [ 31.263885] ? __save_stack_trace+0x61/0xd0 [ 31.268198] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 31.273275] ? copy_trace+0x1d0/0x1d0 [ 31.277054] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.282214] ? check_noncircular+0x20/0x20 [ 31.286422] ? lock_downgrade+0x990/0x990 [ 31.290548] ? find_held_lock+0x39/0x1d0 [ 31.294588] ? __lock_acquire+0x732/0x4620 [ 31.298809] ? find_held_lock+0x39/0x1d0 [ 31.302859] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.308025] ? depot_save_stack+0x1c2/0x490 [ 31.312327] ? do_raw_spin_trylock+0x190/0x190 [ 31.316882] ? check_noncircular+0x20/0x20 [ 31.321101] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 31.325323] ? __xfrm_decode_session+0x100/0x100 [ 31.330055] ? lock_downgrade+0x990/0x990 [ 31.334173] ? inet_sendmsg+0x11f/0x5e0 [ 31.338115] ? sock_sendmsg+0xca/0x110 [ 31.341980] ? SYSC_sendto+0x358/0x5a0 [ 31.345844] ? check_noncircular+0x20/0x20 [ 31.350057] ? rt_add_uncached_list+0xa2/0x240 [ 31.354609] ? check_noncircular+0x20/0x20 [ 31.358820] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 31.364262] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 31.368644] ? lock_downgrade+0x990/0x990 [ 31.372772] ? dst_init+0x4d9/0x6a0 [ 31.376376] ? xfrm_selector_match+0xe00/0xe00 [ 31.380928] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.386092] ? lock_release+0xd70/0xd70 [ 31.390045] ? refcount_inc_not_zero+0xfe/0x180 [ 31.394692] ? xfrm_selector_match+0x3b/0xe00 [ 31.399160] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 31.403892] ? xfrm_selector_match+0xe00/0xe00 [ 31.408451] ? check_noncircular+0x20/0x20 [ 31.412653] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 31.418080] xfrm_lookup+0xf0a/0x2540 [ 31.421851] ? xfrm_lookup+0xf0a/0x2540 [ 31.425799] ? ip_route_input_noref+0x1e0/0x1e0 [ 31.430447] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 31.436827] ? find_held_lock+0x39/0x1d0 [ 31.440871] ? lock_downgrade+0x990/0x990 [ 31.445000] ? ip_route_output_key_hash+0x1a6/0x370 [ 31.449995] ? lock_release+0xd70/0xd70 [ 31.453956] ? kasan_check_write+0x14/0x20 [ 31.458166] ? ip_route_output_key_hash+0x252/0x370 [ 31.463156] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 31.468674] xfrm_lookup_route+0x39/0x1a0 [ 31.472973] ip_route_output_flow+0x7c/0xa0 [ 31.477268] raw_sendmsg+0xc4f/0x38c0 [ 31.481055] ? raw_setsockopt+0xd0/0xd0 [ 31.485006] ? get_mem_cgroup_from_mm+0x49b/0x710 [ 31.489822] ? lock_page_memcg+0x3b0/0x3b0 [ 31.494028] ? __lock_is_held+0xbc/0x140 [ 31.498066] ? lru_cache_add+0x1c7/0x3a0 [ 31.502094] ? get_mem_cgroup_from_mm+0x710/0x710 [ 31.506907] ? lru_cache_add_file+0x20/0x20 [ 31.511218] ? lock_downgrade+0x990/0x990 [ 31.515345] ? __might_fault+0xe0/0x1d0 [ 31.519292] ? sock_has_perm+0x29c/0x400 [ 31.523327] ? selinux_tun_dev_create+0xc0/0xc0 [ 31.527965] ? lock_release+0xd70/0xd70 [ 31.531912] ? check_same_owner+0x320/0x320 [ 31.536202] ? __check_object_size+0x25d/0x4f0 [ 31.540768] inet_sendmsg+0x11f/0x5e0 [ 31.544538] ? __might_sleep+0x95/0x190 [ 31.548482] ? inet_recvmsg+0x5f0/0x5f0 [ 31.552428] ? selinux_socket_sendmsg+0x36/0x40 [ 31.557069] ? security_socket_sendmsg+0x89/0xb0 [ 31.561794] ? inet_recvmsg+0x5f0/0x5f0 [ 31.565742] sock_sendmsg+0xca/0x110 [ 31.569436] SYSC_sendto+0x358/0x5a0 [ 31.573127] ? SYSC_connect+0x480/0x480 [ 31.577068] ? find_held_lock+0x39/0x1d0 [ 31.581113] ? lock_downgrade+0x990/0x990 [ 31.585252] ? handle_mm_fault+0x410/0x8d0 [ 31.589454] ? down_read_trylock+0xdb/0x170 [ 31.593743] ? __do_page_fault+0x2b8/0xb60 [ 31.597949] ? __handle_mm_fault+0x39c0/0x39c0 [ 31.602500] ? vmacache_find+0x61/0x270 [ 31.606459] SyS_sendto+0x40/0x50 [ 31.609885] ? SyS_getpeername+0x30/0x30 [ 31.613922] do_fast_syscall_32+0x3f2/0xeed [ 31.618222] ? do_int80_syscall_32+0x930/0x930 [ 31.622775] ? kasan_check_read+0x11/0x20 [ 31.626894] ? syscall_return_slowpath+0x500/0x500 [ 31.631795] ? SyS_rt_sigaction+0x94/0x1b0 [ 31.636004] ? lockdep_sys_exit+0x47/0xf0 [ 31.640133] ? retint_user+0x18/0x20 [ 31.643823] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.648643] entry_SYSENTER_compat+0x51/0x60 [ 31.653028] RIP: 0023:0xf7f94c79 [ 31.656360] RSP: 002b:00000000fff50a9c EFLAGS: 00000282 ORIG_RAX: 0000000000000171 [ 31.664046] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020fdbfc0 [ 31.671284] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000020fdbff0 [ 31.678521] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 [ 31.685761] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 31.693002] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 31.700261] [ 31.701859] The buggy address belongs to the page: [ 31.706761] page:ffffea00073d1fc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 31.714874] flags: 0x200000000000000() [ 31.718734] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 31.726583] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 31.734428] page dumped because: kasan: bad access detected [ 31.740103] [ 31.741699] Memory state around the buggy address: [ 31.746595] ffff8801cf47f800: f2 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 [ 31.753929] ffff8801cf47f880: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 f2 [ 31.761257] >ffff8801cf47f900: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 [ 31.768583] ^ [ 31.775042] ffff8801cf47f980: f2 00 00 00 00 00 00 00 00 00 f2 f2 f2 f3 f3 f3 [ 31.782546] ffff8801cf47fa00: f3 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 [ 31.789874] ================================================================== [ 31.797199] Disabling lock debugging due to kernel taint [ 31.802685] Kernel panic - not syncing: panic_on_warn set ... [ 31.802685] [ 31.810015] CPU: 1 PID: 2979 Comm: syzkaller928430 Tainted: G B 4.14.0-rc1+ #5 [ 31.818466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.827783] Call Trace: [ 31.830337] dump_stack+0x194/0x257 [ 31.833930] ? arch_local_irq_restore+0x53/0x53 [ 31.838564] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.843285] ? xfrm_state_find+0x2fc0/0x3190 [ 31.847658] panic+0x1e4/0x417 [ 31.850815] ? __warn+0x1d9/0x1d9 [ 31.854238] ? xfrm_state_find+0x305b/0x3190 [ 31.858611] kasan_end_report+0x50/0x50 [ 31.862548] kasan_report+0x137/0x340 [ 31.866311] __asan_report_load4_noabort+0x14/0x20 [ 31.871201] xfrm_state_find+0x305b/0x3190 [ 31.875401] ? __save_stack_trace+0x61/0xd0 [ 31.879698] ? xfrm_state_afinfo_get_rcu+0x160/0x160 [ 31.884768] ? copy_trace+0x1d0/0x1d0 [ 31.888538] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.893693] ? check_noncircular+0x20/0x20 [ 31.897893] ? lock_downgrade+0x990/0x990 [ 31.902008] ? find_held_lock+0x39/0x1d0 [ 31.906034] ? __lock_acquire+0x732/0x4620 [ 31.910234] ? find_held_lock+0x39/0x1d0 [ 31.914268] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.919421] ? depot_save_stack+0x1c2/0x490 [ 31.923712] ? do_raw_spin_trylock+0x190/0x190 [ 31.928259] ? check_noncircular+0x20/0x20 [ 31.932465] xfrm_tmpl_resolve+0x2fb/0xbd0 [ 31.936673] ? __xfrm_decode_session+0x100/0x100 [ 31.941398] ? lock_downgrade+0x990/0x990 [ 31.945510] ? inet_sendmsg+0x11f/0x5e0 [ 31.949453] ? sock_sendmsg+0xca/0x110 [ 31.953304] ? SYSC_sendto+0x358/0x5a0 [ 31.957159] ? check_noncircular+0x20/0x20 [ 31.961360] ? rt_add_uncached_list+0xa2/0x240 [ 31.965908] ? check_noncircular+0x20/0x20 [ 31.970110] xfrm_resolve_and_create_bundle+0x186/0x24b0 [ 31.975536] ? xfrm_tmpl_resolve+0xbd0/0xbd0 [ 31.979911] ? lock_downgrade+0x990/0x990 [ 31.984022] ? dst_init+0x4d9/0x6a0 [ 31.987614] ? xfrm_selector_match+0xe00/0xe00 [ 31.992157] ? debug_check_no_locks_freed+0x3d0/0x3d0 [ 31.997310] ? lock_release+0xd70/0xd70 [ 32.001249] ? refcount_inc_not_zero+0xfe/0x180 [ 32.005886] ? xfrm_selector_match+0x3b/0xe00 [ 32.010349] ? xfrm_sk_policy_lookup+0x2cf/0x3d0 [ 32.015076] ? xfrm_selector_match+0xe00/0xe00 [ 32.019623] ? check_noncircular+0x20/0x20 [ 32.023820] ? ip_route_output_key_hash_rcu+0x604/0x2c20 [ 32.029238] xfrm_lookup+0xf0a/0x2540 [ 32.033004] ? xfrm_lookup+0xf0a/0x2540 [ 32.036941] ? ip_route_input_noref+0x1e0/0x1e0 [ 32.041578] ? xfrm_policy_lookup_bytype.constprop.49+0x16f0/0x16f0 [ 32.047955] ? find_held_lock+0x39/0x1d0 [ 32.051983] ? lock_downgrade+0x990/0x990 [ 32.056098] ? ip_route_output_key_hash+0x1a6/0x370 [ 32.061081] ? lock_release+0xd70/0xd70 [ 32.065026] ? kasan_check_write+0x14/0x20 [ 32.069233] ? ip_route_output_key_hash+0x252/0x370 [ 32.074211] ? ip_route_output_key_hash_rcu+0x2c20/0x2c20 [ 32.079717] xfrm_lookup_route+0x39/0x1a0 [ 32.083834] ip_route_output_flow+0x7c/0xa0 [ 32.088129] raw_sendmsg+0xc4f/0x38c0 [ 32.091901] ? raw_setsockopt+0xd0/0xd0 [ 32.095839] ? get_mem_cgroup_from_mm+0x49b/0x710 [ 32.100646] ? lock_page_memcg+0x3b0/0x3b0 [ 32.104847] ? __lock_is_held+0xbc/0x140 [ 32.108878] ? lru_cache_add+0x1c7/0x3a0 [ 32.112903] ? get_mem_cgroup_from_mm+0x710/0x710 [ 32.118020] ? lru_cache_add_file+0x20/0x20 [ 32.122317] ? lock_downgrade+0x990/0x990 [ 32.126435] ? __might_fault+0xe0/0x1d0 [ 32.130374] ? sock_has_perm+0x29c/0x400 [ 32.134400] ? selinux_tun_dev_create+0xc0/0xc0 [ 32.139032] ? lock_release+0xd70/0xd70 [ 32.142972] ? check_same_owner+0x320/0x320 [ 32.147264] ? __check_object_size+0x25d/0x4f0 [ 32.151815] inet_sendmsg+0x11f/0x5e0 [ 32.155588] ? __might_sleep+0x95/0x190 [ 32.159526] ? inet_recvmsg+0x5f0/0x5f0 [ 32.163464] ? selinux_socket_sendmsg+0x36/0x40 [ 32.168098] ? security_socket_sendmsg+0x89/0xb0 [ 32.172819] ? inet_recvmsg+0x5f0/0x5f0 [ 32.176759] sock_sendmsg+0xca/0x110